284475e51c1a4881b13f0bd9e73aea67381d662a — eau 4 years ago be38b05
I suck in formatting these markdown crap..
1 files changed, 15 insertions(+), 12 deletions(-)

M README.md => README.md +15 -12
@@ 3,12 3,12 @@
[![builds.sr.ht status](https://builds.sr.ht/~eau/passwd.svg)](https://builds.sr.ht/~eau/passwd?)


A simple golang password hashing package.


New "password hashing" algorithms (PHC) have emerged in order to counter the increase in hardware assets
available to crack passwords easily when they are stolen.

@@ 36,9 36,9 @@ You can also decide to use your own *Argon2* or *Scrypt* custom parameters with 

How to Use the package

# About Hashing Profiles
### **About Hashing Profiles**
It is an attempt to dimension crypto parameters to common use cases (interactive/web auth/blabla) vs file storage

- Default  : ~interactive.

@@ 48,7 48,7 @@ Custom profiles allow a user to define its own hashing parameters if those defau

## Public vs Masked parameters
### **Public vs Masked parameters**

Commonly password hashing includes hashing parameters in order to provide interoperability.

@@ 56,7 56,7 @@ if no interoperability is needed (outside your authentication needs) and to make
attacker, you might "mask" your parameters (instead of embedding them in the resulting hash).

## Public parameters (common practice)
### **Public parameters (common practice)**

Public parameters will embbed the derivation parameters in the resulting hash.
This allows you to simply use the **`passwd.Compare()`** function against a hash without

@@ 64,7 64,7 @@ the need of a profile object.

## Masked parameters
### **Masked parameters**

Masked parameters will remove the derivation parameters from the resulting hash.
This requires you to **`passwd.NewMasked()`** before calling the profile **`Compare()`**

@@ 76,7 76,7 @@ with your key derivation in order to attack it offline.
**!!! IMPORTANT !!! This is NOT what makes your hash safe, it just makes it slightly harder to attack offline.**     

## Key'ed Hash 
### **Key'ed Hash**

Key'd hashes makes it impossible to bruteforce (unless collision in hashes of course or the secret leaks), 

@@ 147,7 147,7 @@ done.


This package exclusively uses crypto algorithm implementations shipped in go extended crypto packages (located in `x/crypto/`)

@@ 162,7 162,8 @@ Note: small issue with git.sr.ht that prevents for now to go get subpackages ins
hopefully this helps understanding how to use this package.      

# Changelog

	* added key'd hash ability (using sha3-256/384 instead sha1/sha256) based on facebook key'd hmac salt/hash using 

@@ 186,7 187,8 @@ hopefully this helps understanding how to use this package.
* v0.1.0: initial release

# Important Notes
Important Notes

bcrypt is just a wrapper to `x/crypto/bcrypt`, only scrypt and argon support masked parameters.

@@ 195,7 197,8 @@ using a modern profile to store new passwords.

# Featuring (because there is always a star in your production..)
Featuring (because there is always a star in your production..)

* [Argon2](https://en.wikipedia.org/wiki/Argon2) for today key stretching.
* [Scrypt](http://en.wikipedia.org/wiki/Scrypt) for key stretching.